Amazon Cognito User Pool Should Prevent User Existence Errors

Overview

This check verifies that Amazon Cognito app clients have the PreventUserExistenceErrors setting enabled. When enabled, this setting ensures that authentication error messages are generic and do not reveal whether a specific username exists in your user pool.

Risk

When this setting is disabled, error messages during login, password reset, or account confirmation can reveal whether a username exists. Attackers can exploit this to:

• Enumerate valid accounts by testing usernames and observing different error messages
• Launch targeted attacks like credential stuffing against confirmed accounts
• Abuse password reset flows to identify active users
• Increase success rates for phishing and social engineering

This is considered a medium severity issue because it provides attackers with reconnaissance information that makes other attacks more effective.

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to modify Cognito User Pool settings, or equivalent CLI/API permissions (cognito-idp:UpdateUserPoolClient).

AWS Console Method

1. Open the Amazon Cognito console at https://console.aws.amazon.com/cognito/
2. Choose User pools from the left navigation
3. Select the user pool containing the app client you need to update
4. Go to the App integration tab
5. Scroll down to App clients and analytics and select the app client
6. Click Edit
7. Under Advanced authentication settings, find Prevent user existence errors
8. Set it to Enabled
9. Click Save changes

Repeat for each app client in your user pool.

AWS CLI (optional)

Use the update-user-pool-client command to enable this setting.

Important: This command updates the specified attributes but may reset other attributes to defaults if not explicitly provided. Consider describing the client first to preserve existing settings.

# First, get the current client configuration (recommended)
aws cognito-idp describe-user-pool-client \
    --user-pool-id <USER_POOL_ID> \
    --client-id <APP_CLIENT_ID> \
    --region us-east-1

# Update the client to enable prevent-user-existence-errors
aws cognito-idp update-user-pool-client \
    --user-pool-id <USER_POOL_ID> \
    --client-id <APP_CLIENT_ID> \
    --prevent-user-existence-errors ENABLED \
    --region us-east-1

Replace:

• <USER_POOL_ID> with your user pool ID (e.g., us-east-1_aBcDeFgHi)
• <APP_CLIENT_ID> with your app client ID

To list all app clients in a user pool:

aws cognito-idp list-user-pool-clients \
    --user-pool-id <USER_POOL_ID> \
    --region us-east-1

CloudFormation (optional)

Add or update the PreventUserExistenceErrors property in your AWS::Cognito::UserPoolClient resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: Cognito User Pool Client with PreventUserExistenceErrors enabled

Parameters:
  UserPoolId:
    Type: String
    Description: The ID of the existing Cognito User Pool

Resources:
  UserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: secure-app-client
      UserPoolId: !Ref UserPoolId
      PreventUserExistenceErrors: ENABLED
      ExplicitAuthFlows:
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH

Outputs:
  ClientId:
    Description: The ID of the app client
    Value: !Ref UserPoolClient

Deploy with:

aws cloudformation deploy \
    --template-file template.yaml \
    --stack-name cognito-secure-client \
    --parameter-overrides UserPoolId=<USER_POOL_ID> \
    --region us-east-1

Terraform (optional)

Set prevent_user_existence_errors to "ENABLED" in your aws_cognito_user_pool_client resource:

resource "aws_cognito_user_pool_client" "example" {
  name         = "example-app-client"
  user_pool_id = aws_cognito_user_pool.example.id

  # Enable this setting to prevent user existence errors
  prevent_user_existence_errors = "ENABLED"

  explicit_auth_flows = [
    "ALLOW_USER_SRP_AUTH",
    "ALLOW_REFRESH_TOKEN_AUTH"
  ]
}

Apply with:

terraform plan
terraform apply

Verification

After making the change, verify the setting is enabled:

1. In the AWS Console, navigate to the app client and confirm Prevent user existence errors shows as Enabled
2. Test your application's login flow - error messages for invalid usernames should now be generic (e.g., "Incorrect username or password") rather than revealing whether the user exists

CLI Verification

aws cognito-idp describe-user-pool-client \
    --user-pool-id <USER_POOL_ID> \
    --client-id <APP_CLIENT_ID> \
    --region us-east-1 \
    --query 'UserPoolClient.PreventUserExistenceErrors'

The output should be:

"ENABLED"

Additional Resources

• AWS Documentation: Managing error responses
• AWS Documentation: App client settings
• AWS CloudFormation: UserPoolClient resource
• Terraform: aws_cognito_user_pool_client

Notes

• New app clients: As of recent AWS updates, new app clients created through the console have this setting enabled by default. However, older clients or those created via API may not have it enabled.
• Multiple app clients: Each app client has its own setting. You must enable this for every app client in your user pool.
• No downtime: Enabling this setting does not cause any service interruption or require application changes.
• Complementary controls: For comprehensive protection, combine this setting with:
  • Multi-factor authentication (MFA)
  • Rate limiting and throttling
  • Advanced security features (anomaly detection)
  • Strong password policies